GDPR Industry Focus: How does the GDPR Impact Financial Services?
Jon Siegler | February 21, 2018
The May 2018 implementation of the GDPR will soon impact many organizations in the financial services industry -- with numerous regulations that specifically require stringent policies and procedures for compliance. Banks are presumed to be a likely target for audits and enforcement actions. Here we cover what you need to know as a member of your organizations compliance or risk management functions.
Does the GDPR Apply to Companies in Financial Services?
The General Data Protection Regulation (GDPR) is a European Union law that will have a great impact on any company that processes EU citizens’ data - even if the company isn’t located in the EU. This regulation will be especially important for organizations in the finance industry, as any personal financial data of EU data subjects will need to be protected in compliance with GDPR requirements. The GDPR will be in effect on May 25, 2018, and companies are encouraged to begin preparations now in order to meet the requirements by its implementation.
GDPR and Financial Services
The finance industry is accustomed to strict regulations and oversight, but with the implementation of the GDPR, financial services organizations like banks and investment advisory firms will be required to tighten their policies and procedures concerning the usage and storage of personal data. Many organizations have become very reliant on acquiring the data of its customers to enhance their decision making and marketing. According to Ingramm Micro Advisor, there are five ways banks and other financial institutions use data:
Compliance and Regulatory Requirements
What are the Key Challenges?
The GDPR brings its own set of complications for banks and other financial institutions. A poll carried out by software solutions provider Varonis in March 2015, found that many within the financial sector believe that banks will be amongst the first organizations that are prioritized for GDPR auditing, but at the time of the poll, only 50% of respondents believed their institution was ready to comply with the GDPR, and more than two-thirds said they did not know what to do in order to comply.
Impacts on the Financial Industry Under GDPR
The GDPR sets a high standard for consent and defines it as “offering individuals genuine choice and control.” Under the GDPR, all of the responsibility for consent is placed upon the company. You will be required to not only ask for an individual’s consent before collecting or processing their data, but you must also keep a record of when, how, and what you told each individual about consent. On top of that, companies must also allow individuals to be able to easily withdraw their consent at any time. The UK's Information Commissioner's Office suggests building regular consent reviews into your business processes to ensure continual compliance.
2. Right to Data Erasure
The right to data erasure, also known as the “right to be forgotten”, gives an individual the right to have their bank or financial institution completely erase their personal data, as long as there is not a compelling reason to continue processing. This also applies to data that the financial institution has shared with any third-party organizations. Companies will need to have robust data inventories and data tracking implemented in order to effectively and efficiently execute on requests to remove personal data.
3. Consequences of a Breach
The GDPR has very strict requirements if personal data is breached. Under the GDPR, a personal data breach is “any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” An organization has 72 hours to inform relevant supervisors of the breach once they have been made aware of it. Because it may be impossible to fully investigate the details of a breach within the 72 hour time frame, the GDPR allows for the information to be provided to the necessary parties in phases.
4. Privacy by Design
Privacy by Design is an approach that implements data protection and privacy from the beginning of any business policy, procedure, or project. Willis Towers Watson reports, “‘Privacy by design’ requirements now mean that following a breach, regulators will examine the measures an organisation took to safeguard personal data in order to determine fines.” This means all accountability for compliance and data protection is on the company. It requires that companies show how they are in compliance via organisational and technical controls, not just report that they are in compliance.
For companies who do not meet the requirements or who are found to be noncompliant, the consequences will be severe - with fines of four percent of your global revenues or €20 Million, whichever is greater.
5. Vendor Management
Data is at the very core of every financial institution and is constantly being shared through multiple IT applications. It is imperative that each bank and financial firm have a clear process and procedure in place for all external vendors handling their customer data. World Finance states, “The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, which significantly increases the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access.”
6. Data Protection Officer
Many companies in the finance industry will be required to appoint a Data Protection Officer (DPO) because they “carry out large scale systematic monitoring of individuals”, mostly for the sake of personalized marketing, fraud detection, and customer segmentation. The DPO will be required to monitor the company’s compliance with the GDPR, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits.
The wide-ranging requirements of the GDPR which must be implemented in a compressed time period present significant challenges for organizations in the financial services industry. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating critical new processes that now need to be executed to achieve compliance – as well as enhancing existing manual processes, such as third-party risk management, that must incorporate additional privacy considerations when assessing data processors. With May quickly approaching, the more you can centrally manage and automate the extensive GDPR requirements, the closer you will be to reaching compliance.